Fundamental audit concepts and principles for ISO 27001

fundamental audit concepts

In this blog, we will be going over the fundamental audit concepts and principles for ISO 27001. Dive in and learn these concepts!

The 4 standards that relate to auditing are:

  • ISO 19011 – not specific on security, but gives the foundation for the art of auditing 
  • ISO 17021 – the standard that guides certification bodies on how to run their processes 
  • ISO 27007 – guidelines on auditing information security management systems 
  • ISO 27008 – guidelines for the assessment of security controls 

Naturally, ISO 27001 is different from the above in the sense that companies from all industries can comply with its requirements and get their ISMS certified. 

What is an Audit?

Critical elements of an audit, as per ISO 19011, Clause 3.1 are:

  • Systematic – following a process approach 
  • Independent – unbiased 
  • Document process for – there is a paper trail
  • Obtaining Objective – unbiased 
  • Evidence and – physical, and digital records to show compliance 
  • Evaluating it objectively – reviewing the record against requirements 
  • To determine the extent to which the audit criteria are fulfilled – criteria are defined within the audit plan 

Different Types of Audits:

  • Internal audit – the organization auditing its own processes to improve
  • Second party audit
  • Third-party audits – implementing a 3rd party standard, like ISO 27001, and then asking a 3rd party company to come give its professional opinion on the compliance to that standard 
  • Pre-assessment audit – done by the 3rd party certification body to check whether your organization is ready for the official certification audit 

Involved Parties 

  • Audit client – the company paying for the audit 
  • Auditee – the organization being audited 
  • Audit team – the auditor(s) doing the audit + technical experts if needed 
  • Audit – person gathering the evidence 
  • Technical expert – working with the auditors to provide their  professional expertise, and are not auditing the process – they simply provide information to the auditor 

The Audit Objectives

As defined in ISO 17021 Clause, the goal of doing an audit is as follows:

  • Determine the organization’s compliance with audit criteria
  • Ensuring the management system meets the needs of all stakeholders 
  • Determining the effectiveness of the management system to meet the organizational objectives
  • Identification of areas for improvement 

The Audit Planning Process

Defining the audit criteria for the audit is an important step within the audit planning process. 

Before doing the audit plan, it is important to sit down with the audit team and determine the inherent risks of the organization. 

The Stage 2 audit planning steps include:

  • Learning about the auditee’s mission, objectives and processes
  • Defining the audit objectives and audit scope 
  • Conducting a risk assessment
  • Developing the audit strategy 

The audit criteria are derived from the scope of certification, and can also be integrated with the any of the following:

  • Internal rules and policies
  • Laws and regulations
  • Relevant interested parties’ requirements
  • Other standards 
  • Commercial contracts and agreements 

The audit criteria are used as a reference to determine conformity. Whenever a non-conformity is found it would be in breach of a specific audit criterion. 

Audit Risk 

Audit risk relates to the chances of the audit being a success. And there are 3 aspects to audit risk:

  • Inherent risk – the risk that the organization faces. Eg financial sector faces risks related to financial fraud 
  • Control risk – where are controls most likely to fail (controls implemented to mitigate risks 
  • Detection risk – what might I (as an auditor) fail to notice a significant problem 

Auditing an Integrated Management Systems

Companies might choose to implement ISO 27001, together with other standards; most commonly ISO 9001. By auditing certain elements of one standard, one can be auditing the same requirement for another standard. 

Core Principles/Ethics of an Auditor 


Operating the audit in an honest, independent and clear manner. Basing all judgements on evidence (or lack thereof).

Fair Presentation

All evidence has to be truthful and accurate. In all cases. Not based on hearsay or opinion. If during the audit, people are not able to provide certain information, this would need to be declared. Not to cause some kind of trouble. But to be transparent. 

Due Professional Care

Due professional care is also important whereby the auditor has to follow sound auditing procedures and is using all the required tools.

Evidence-Based Approach 

No standard tells you if you have enough evidence or not. As auditors, we must have enough evidence to be able to defend our recommendation for a client’s certification. Now the goal isn’t to find as many NCs as possible. However, the auditor’s role is to help the client find how they are meeting the requirements. The goal of ISO certification is continual improvement; that’s where professional scepticism is important.

Naturally, if we detect illegalities, we cannot turn a blind eye. And depending on the types of activity we are talking about – we might also want to contact the authorities. If you are working for a certification body, it is important to take the necessary legal advice. Auditors are not investigators – our role is to make our report, communicate it as needed, and let authorities do their work.


As auditors, we have access to confidential information about the client. Naturally, confidentiality is critical whether the client asks for a non-disclosure agreement or not. Auditors cannot have their notes lying around either. If we are required to professionally share certification information – for example, the accreditation authority wants to see records as part of their audit. In such a case, we would naturally share the information -as it would have been pre-agreed. There are also situations where disclosing information is required by law. As stated earlier, one must seek legal advice in such a case. 


There are those who build and implement an ISMS. An auditor needs to have the independence of mind, and also the appearance of independence. If there is a possibility that the auditor can gain something from this audit – for example having worked with the client in the past. Self-review is a situation where an auditor is auditing their own work. If I’m checking my own work, there are deliberate and accidental mistakes that I won’t see.

Therefore, having someone else check your processes is important. Moreover, you cannot audit people with whom you have familiarity – friends and family, but also as a client – after 2 or 3 audits, good to change because we might get complacent. On the contrary, is there external pressure for the auditor to give a certain result? Naturally, this should not be accepted and the right interested parties have to be contacted in such a case. 

Further to this, a consultant cannot be lead auditor with a certification body for the same client. 

Risk Based Approach

Like with all standards, the auditing standard asks auditors to apply common sense and follow a risk based approach to guide their actions while on the field. 

Competencies of Auditor 

A lead auditor will organize, and manage the team; including dealing with conflicts. And ultimately it is the lead auditor who needs to make the final findings and present them to the certification committee. 

ISO 19011 states that auditors have to be competent in the auditing process. Competence is a blend of the following 

  • Audit experience
  • Initial training 
  • Continual training 
  • Professional experience 
  • Personal qualities

Personal Behaviour 

ISO 19011 Clause 7.2.2 states the following desired professional behaviours that are desirable in an auditor:

  • Ethical
  • Open minded
  • Diplomatic
  • Observant
  • Perceptive
  • Versatile
  • Tenacious
  • Decisive 
  • Self-reliant
  • Able to act with fortitude
  • Open to improvement
  • Culturally sensitive
  • Collaborative 


Whether you’re after ISO Certification, internal audits, or results-oriented consultancy, Luke has the plan for you. Reach out to him and start your journey today.
ISO Consultant in Malta


Luke has a plan for you whether you want ISO certification, internal audits, or results-oriented consulting. Contact him immediately to begin your adventure.

WANT  TO LEARN MORE ABOUT THE fundamental audit concepts?

As an ISO management system consultant Luke Desira will make it his personal mission to put your company on a class above all others! Read more about ISO and other content related to business process transformation here.

If you are on the hunt on information on how to get certified, have a look at this guide on how to get ISO certified with Luke Desira, and find out about the 10 pitfalls that you may encounter during the implementation process of ISO Certification.

Don’t forget to follow us on our Facebook and LinkedIn profiles, and subscribe to our Youtube Channel for more great content.

Book a Free 15 minute discovery call

Select a date and time to schedule a free 15 minute discovery call with Luke Desira.

Message Luke through an email


Give Luke a call

+356 7920 6686

Related Articles

Information Security Management System
ISO 27001

What is an Information Security Management System (ISMS)?

A management system is a set of processes to achieve certain objectives. The scope of the management system can relate to one site or more multiple sites of the organization – and it can cover all or some of the processes of the company. Now an information security management system, or in short an ISMS,

Read More »
how to implement ISO 27001
ISO 27001

How to Implement ISO 27001 in your organisation

Are you a listener or are you a reader? In any case, we have got you covered. Dive into the details of how to implement ISO 27001 in your organisation, you can read all about it or listen to what Luke Desira has to say. Hi, I am Luke Desira and in this video, I

Read More »
CYBER+ALT Grant Scheme
ISO 27001

Let’s talk about the CYBER+ALT Grant Scheme!

The CYBER+ALT grant scheme is a new initiative that has been created by the Malta National Coordination Centre (NCC) and the Malta Information Technology Agency (MITA) to provide assistance to small and medium-sized enterprises (SMEs) with improving their resilience to cyber crime and focus more on securing their digital landscape. If you wish to find

Read More »
Scroll to Top